<html>

<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Edit/Save File Slack...</title>
<link rel="stylesheet" type="text/css" href="../explorer++.css">
</head>

<body>

<h2 class="Heading_2_no_table"><a name="top"></a><a href="../nav/mnu-edit.htm">
Edit</a>/Save File Slack...</h2>
<p>This function recovers a <b>single</b> file's slack space and saves it to a 
(text) file using a standard <i>Save As</i> dialog.&nbsp; Multiple files may be 
selected, but the resulting file slack file is usually not useful or complete.&nbsp; 
In some cases, this may help recover lost data which has been overwritten, but 
the user should not rely on this.&nbsp; Saving file slack as a text file may 
still result in some binary (eg. non-text) data.</p>
<p>See below for more information on file slack.</p>
<p>&nbsp;</p>
<h3><a name="about"></a>About File Slack</h3>
<p>When Windows formats a hard disk, it uses the disk capacity to determine a 
cluster size - the minimum unit of disk space available for file storage.&nbsp; 
In most cases on NTFS file systems, this will be 4 kilobytes or 4096 bytes.&nbsp; 
This means that as file space is allocated to a saved file, the actual space 
used is stepped in 4 kilobyte increments.&nbsp; A 2 Kb file, for example, would 
still use (at least) 4 Kb of disk space.&nbsp; Checking a file's
<a href="../mnu_file/properties.htm">properties</a>, shows that in every case 
(?) the size on disk is larger than the actual file size.&nbsp; Some of this 
disk space used is for attributes, security/permissions, etc., but in most large 
files, the majority of space is dedicated to actual file data.</p>
<p>But not all...!&nbsp; Since files - unless the size of data + attributes, 
etc. <b>exactly</b> equals a multiple of sector size - use disk space in 4 Kb 
increments, it is usual that some empty space in disk clusters exists.&nbsp; 
That empty space is not assigned to file data, or to attributes, security 
concerns, etc.; it is just <i>wasted</i> space and usually contains data left 
over from previous files which occupied the same clusters, or simply random 
memory bytes which were written with the file.&nbsp; That empty space (ie. <b>
file slack</b>) <i>could</i> contain data placed there intentionally by 
malevolent programs, or <i>could</i> be used to hide data by the user.&nbsp; 
Programs such as
<a class="EXTlnk" title="http://www.metasploit.com/research/projects/antiforensics/" target="_blank" href="http://www.metasploit.com/research/projects/antiforensics/">
Slacker</a> can hide files within a file's slack space; interesting, but not a 
good idea unless you are sure the file size will not change or the file be 
erased.</p>
<p>The concept of file slack forms an important part of computer forensics - 
analysis of computer data for legal evidentiary purposes.&nbsp; An interesting 
short video on the possible use of file slack to learn more about a computer 
user can be found
<a class="EXTlnk" title="http://www.youtube.com/watch?v=E17PIdJ7HAM" target="_blank" href="http://www.youtube.com/watch?v=E17PIdJ7HAM">
here</a> on <i>YouTube</i>.</p>
<p><a title="Top of page" href="#top" style="background-color:transparent">
<img border="0" src="../images/common/arrow_top.gif" width="23" height="23"></a></p>

</body>

</html>
